A working roadmap for ExpoGraph and the broader GrayArea toolkit. Dates intentionally loose — we ship when it’s right, not when it’s due.
Direction, not commitment. Priorities shift based on what users tell us actually matters.
Move out of beta. Stabilized RBAC, hardened auth, full Postgres parity, and a polished onboarding flow for first-time deployment.
Native ingest of SCAP scan results to round out the assessment-data import story alongside Nessus and STIG checklists.
Two-way sync with Jira and ServiceNow so remediation actions live where engineers already work — without breaking the air-gap story.
Automatic mapping from findings to NIST 800-171, CMMC Level 2, and CIS Controls — so a triage queue doubles as audit evidence.
Single-binary distribution with bundled NVD/KEV mirrors for fully disconnected environments. Designed for classified and OT networks.
Lightweight scheduled re-scan orchestration with drift detection — so ExpoGraph isn’t just point-in-time triage but ongoing posture.
STRIDE/PASTA-style modeling that pulls real asset and exposure context from ExpoGraph instead of starting from a blank diagram.
Earlier-stage ideas being prototyped or scoped. None of these are committed — share what resonates and we’ll prioritize.
External attack-surface mapping built on the same self-hosted, no-telemetry principles. Pulls passive DNS, cert transparency, and exposed-service signals into ExpoGraph.
A pre-built library of CMMC and 800-171 procedure templates, evidence checklists, and SSP scaffolding — paired tightly with ExpoGraph findings.
Lightweight host-side agent for collecting configuration and patch state — feeds an internal asset truth source to ExpoGraph without a full EDR install.
A small, documented SDK for writing custom importers, enrichers, and exporters — so teams can extend ExpoGraph without forking it.
GrayArea Security